Do the Bro analyzers support SMTP “chunking” verb/command?
Thanks,
Brett
All,
So after a long weekend of Bro, I believe I’ve confirm that Bro does not currently support parsing BINARYMIME/CHUNKING style connections or formatting. I was able to write a small PoC script to print the MIME record to confirm the data is present but not being parsed by SMTP base. We’ve resolved this by disabling the BINARYMIME and CHUNKING SMTP verbs as advertised on the SMTP server and the upstream SMTP server now connects using the traditional DATA command resulting in Bro being able to parse that traffic.
Brett